How to set Delegate Access Rights for Microsoft Exchange

Last update: December 09, 2020 17:11
Created : April 03, 2015 11:41
Written by Support InfoBridge

Overview

When security policies dictate that full access permissions can only be granted to specific mailboxes instead of on the entire domain, use Delegation (the right Add-MailboxPermission). This is an Exchange permission that is restricted to mailboxes only.

This permission in not inheritable, so it cannot be assigned to Storage Servers, Storage Groups, or Storage Databases. A Windows Powershell script can be used in EMS to apply this permission when a mailbox is created, or to bulk assign the permission to multiple mailboxes.

The created domain user (SyncUser) is being used to access the Exchange folders for the synchronization users. There are 2 methods to set the correct Delegate access rights for the newly created domain user.

Method 1 Can be used from the Exchange Management Console. It is the recommended method to use. (Note: This can not be used for Office 365).

Method 2 can be used from the Exchange Management Shell. This method has no graphical user interface. (Note: This can also be used for Office 365).

How to

Method 1

Give the newly created user full access rights to the Exchange mail store via the Exchange Management Console. Please follow the steps as described below.

• Start the Microsoft Exchange Management Console

• Expand Microsoft Exchange On-Premise expand Recipient Configuration

• The Manage Full Access Permission wizard opens
• Click Add; In the Select User or Group, select the user to which you want to grant the Full Access.

 

• Press Manage.

• The user rights will be applied as you can see in the Completion page, the Summary states whether the Full Access permission was successfully granted. The summary also displays the Exchange Management Shell command that was used to grant the Full Access permission
• Press Finish to add the user rights to the mailbox store

NOTE: Full Access permissions are not granted until the Microsoft Exchange Information Store Service caches the permissions and updates the cache. To grant the permissions immediately, stop and then restart the Microsoft Exchange Information Store Service.

Method 2

Give the new created domain user access rights to each individual synchronization user or to all users via the exchange Management Shell. Please follow the steps as described below.

• Start the Microsoft Exchange Management Shell.

In the Exchange Management Shell run the following command to grant full access permissions for a single mailbox:

• Add-MailboxPermission -Identity "targetmailbox" -User "Trusted User" -AccessRights FullAccess
• Add-MailboxPermission -Identity "jdoe" -User "DOMAIN\syncuser" -AccessRights FullAccess

To confirm that what permissions are assigned to a mailbox:

• Get-MailboxPermission -Identity "targetmailbox" | Format-List
• Get-MailboxPermission -Identity “jdoe” | Format-List

NOTE: Full Access permissions are not granted until the Microsoft Exchange Information Store Service caches the permissions and updates the cache. To grant the permissions immediately, stop and then restart the Microsoft Exchange Information Store Service.

Powershell Command Generator

For ease of use, we have also created an Powershell Command Generator, which might aid in searching for the correct command to execute.